Compliments of Ars Technica
Almost all Android mobile devices available today are susceptible to hacks that can execute malicious code when they are sent a malformed text message or the user is lured to a malicious website, a security researcher reported Monday.
The vulnerability affects about 950 million Android phones and tablets, according to Joshua Drake, vice president of platform research and exploitation at security firm Zimperium. It resides in “Stagefright,” an Android code library that processes several widely used media formats. The most serious exploit scenario is the use of a specially modified text message using the multimedia message (MMS) format. All an attacker needs is the phone number of the vulnerable Android phone. From there, the malicious message will surreptitiously execute malicious code on the vulnerable device with no action required by the end user and no indication that anything is amiss.
A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited. Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual—with a trojaned phone.
The vulnerability can be exploited using other attack techniques, including luring targets to malicious websites. Drake will outline six or so additional techniques at next month’s Black Hat security conference in Las Vegas, where he’s scheduled to deliver a talk titled Stagefright: Scary Code in the Heart of Android.
Drake said all versions of Android after and including 2.2 are potentially vulnerable and that it’s up to each device manufacturer to patch the bug. So far, very few devices have been patched, leading him to estimate that about 95 percent of devices—or about 950 million of them—are currently susceptible. Even Google’s Nexus 5 handsets, which typically receive security fixes long before most other Android handsets—remain vulnerable. Nexus 6 devices, meanwhile, were patched only recently against some but not all Stagefright attacks. Vulnerable devices running Android versions prior to 4.3 (Jelly Bean) are at the greatest risk, since earlier Android versions lack some of the more recent exploit mitigations. Fixes require an over-the-air update.
Interestingly, the Stagefright vulnerability also affects Firefox on all platforms except Linux, and that includes the Firefox OS. Firefox developers have patched the vulnerability in versions 38 and up.
“If you install Firefox 38, you can no longer get exploited directly via Firefox,” Drake told Ars. “However, if I make your Firefox download the malicious video instead of trying to play it with a tag, it will still reach the vulnerable Android code.”
SilentCircle, maker of the Blackphone Android handset, has also patched the vulnerability in its PrivatOS with the release of version 1.1.7.